《数据安全法》将如何影响跨国公司在华业务?
概述
中国政府于2021年6月10日正式发布《数据安全法》(以下简称“《数安法》”)全文。该法发布后,美国电动汽车制造商特斯拉(Tesla)即刻在微博上表示,其将严格遵守新出台的《数安法》并保护消费者与数据相关的权益。那么,《数安法》将如何影响外商投资企业在华经营业务,外国投资者又有哪些注意事项?事实上,《数安法》包含了众多具有域外效力和跨境影响的条款,该法规定了对在中国境内外从事损害国家安全和公共利益的数据活动的外国实体的域外管辖权(第2条),并授权国家对任何对中国实施限制性或歧视性贸易和投资保障措施的国家或地区采取反制措施(第 26条)。此外,《数安法》对处理中国数据的个人或实体规定了相当广泛的义务,并对未履行保护数据义务的行为规定了严厉的处罚。与在中国经营业务的跨国公司直接相关的,该法第31条导致跨国公司向境外传输数据更困难,且当外国执法机构要求访问存储在中国境内的数据时,该法第36条要求有关个人或实体必须首先向中国相关政府部门报告并获其批准。本文将从实务角度对《数安法》相关要点进行分析,以供读者参考。
Summary
The full text of the Data Security Law (the “DSL”) was officially issued by Chinese government on 10 June 2021. Upon the law's release, US electronic vehicle maker Tesla said in a Weibo post immediately that it will strictly abide by the newly-unveiled DSL in China and protect consumers' data-related rights and interests. How will the DSL affect the business of foreign-invested enterprises in China and what shall be noted for the foreign investors? In fact, the DSL contains a number of provisions with extraterritorial reach and cross-border effects. The DSL establishes extraterritorial jurisdiction over foreign entities that engage in data activities inside and outside of China that harm national security or the public interest (Article 2), and empowers the state to adopt countermeasures against countries or regions that impose restrictive or discriminatory trade and investment safeguards against China (Article 26). Moreover, the DSL imposes quite wide-ranging obligations on individuals or entities processing Chinese data, and imposes severe penalties for failure to safeguard that data. Directly relevant to multinational company (the “MNC”) operating in China, Article 31 essentially will make the MNC more difficult to transfer data outside of China, and when foreign law enforcement agencies request access to data stored in China, Article 36 requires that the individual or entity concerned shall first report to and receive approval from the relevant Chinese government authorities. This article will provide a practical view on these relevant key points of the DSL for the readers’ reference.
◇Background
China, home to the world's largest number of internet users, officially issued the full text of the DSL, after it was approved during the 29th session of the Standing Committee of the 13th National People's Congress on 10 June 2021. As indicated in this meeting, data is a country’s basic strategic resource, there will be no national security without data security. Alongside China's Cyber Security Law (the “CSL”), which was enacted in 2016, the adoption and enactment of the DSL marks the basic establishment of a legal framework for data and information security in China. It is worth noting that the personal information protection law is still under review, which will also improve China's legislative system of the data protection.
The DSL, which has undergone three reviews and amendments since June 2020 and will take effect in September this year, shows that China's legal system will continue to be improved in terms of network and information security, providing strong legal support for individual privacy as well as the safe and healthy development of the digital economy. China is hoping to have the digital sector play a bigger part in the country’s economy, and is contemplating establishing a data governance regime by the DSL that strikes a balance between strong government control, a healthy market for data and protection of consumer privacy.
◇Scope of application and extraterritorial effects
Similar to the CSL, the DSL is intended to be generally applicable to any data handling activities (defined below) that take place within China (Article 2). In addition, the DSL also introduces broad definitions of data, data handling, and data security (Article 3). Data refers to any record of information in electronic or other forms. Data handling refers to data activities including but not limited to collection, storage, use, processing, transmission, provision, transactions, and publication of data. Data security is defined as adopting necessary measures to ensure that data is effectively protected, used legitimately, as well as possessing the capacity to ensure a sustained state of security.
Interestingly, in terms of the extraterritorial effects of the DSL, Article 2 explicitly provides that any organization or individual outside the territory of China will be investigated for legal liability if such an organization or individual harms the national security, public interests or legitimate rights and interests of the citizens and organizations of China in carrying out data activities.
In other words, organizations and individuals outside of China will also be subject to the DSL, provided that they conduct data activities which may impair China’s national security, public interests, or the rights of Chinese citizens. Such extraterritorial reach appears to be even broader than that of the CSL, whose extraterritorial effect applies only when any entity or person outside of China attacks, intrudes or otherwise causes damage to the Critical Information Infrastructure (the “CII”) operators of China and results in serious consequences.
In the context of the fierce competition for data resources among countries, it has become an international trend for countries to struggle for data sovereignty and expand their jurisdiction over data security. For example, in 2016, the European Union promulgated the General Data Protection Regulation (the “GDPR”), in which Article 2 has also expanded the scope of extraterritorial application of the GDPR by creating the establishment criterion and targeting criterion.
According to Article 3.1 of GDPR, establishment criterion means GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in EU, regardless of whether the processing takes place in EU or not. According to Article 3.2 of GDPR, targeting criterion means GDPR applies to the processing of personal data of data subjects who are in EU by a controller or processor not established in EU, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in EU; or (b) the monitoring of their behavior as far as their behavior takes place within EU.
Compared to these two clear criteria provided in Article 3 of GDPR, we can notice the DSL does not make any further clarification on the situation of extraterritorial jurisdiction that "impairs the national security, public interests, or legitimate rights and interests of citizens and organizations of China". We understand that although this maintains the flexibility in the application of the DSL to a certain extent, and leaves more room for the Chinese law enforcement agencies for its interpretation and implementation, since the DSL does not specify whether the damage needs to reach a certain standard, the ambiguity of extraterritorial effectiveness would be likely to cause unnecessary international disputes when the DSL takes effect from 1 September 2021, because it is difficult to find an appropriate applicable standard in actual application of the DSL.
◇Cross-border transfer of important data
Article 21 of the DSL stipulates that a data protection policy based on the hierarchical classification and categorization of data and the “important data catalogue” shall be established at the national level. Nonetheless, the DSL does not provide the definition of important data, which may be defined in future implementing rules.
Article 31 of the DSL differentiates how the cross-border transfer of important data is to be treated by CII operators and by other data processors. Specifically, the CSL would apply to the administration of transfers of important data collected and generated by CII operators during their operations in China. The Cyberspace Administration of China (the “CAC”), together with the relevant department of the State Council, would make relevant rules to govern cross-border transfers of important data by other data processors.
According to the DSL, those who violate the above regulation and provide important data to overseas actors, may face fines of no less than RMB 100,000 but no more than RMB 1,000,000; but if circumstances are more serious with core state data being mishandled or national sovereignty being endangered, a fine may be issued up to RMB 10,000,000 and their business or business license may be suspended or revoked.
Under the CSL and DSL, there is not a clear definition of CII. It only provides a non-exhaustive list of selected critical industries and areas whose information infrastructure would be regarded as CII, including public communications, information services, energy, transport, water conservancy, finance, public services, and e-governance etc., and more broadly, other information infrastructure which may cause serious consequences if it suffers any damage, loss of function, or leakage of data. The CSL has provided that CII operators shall store personal information and important data gathered and produced during operations within the PRC and any export of such personal information and data outside China for business needs is subject to security assessment.
In terms of other data processors which have not fallen into the scope of CII operators, how CAC and other authorities will draft relevant security management measures to govern their cross-border transfer of important data awaits further clarification and legislation.
For the MNCs like Tesla, this regulation means localization of the important data and the export control of Chinese authorities in case of cross-border transfer of such data, which will have a significant influence on the MNCs’ business in China. For example, as Tesla sets up factory in China, in principle the data generated in the operation of business in China shall also be stored in China, and be subject to supervision of related Chinese data regulator. Under the DSL, the MNCs that transfer the data overseas without proper approval from Chinese authorities will face a penalty of up to 10 million yuan and could be forced to shut down, a severe penalty that had not been provided in an earlier draft second version of the DSL that was submitted for review in April 2021.
◇Provision of data to foreign justice or law enforcement
Article 36 of the DSL provides in general terms that foreign justice or law enforcement shall require permission from Chinese authorities to access data stored within China according to relevant laws and international treaties and agreements concluded or participated in by China. And organizations and individuals in China shall be prohibited from providing data requested by foreign justice and law enforcement until they have reported the request to the relevant authorities and obtained permission to disclose.
According to the DSL, those who hand over important data to a foreign justice or law enforcement without prior approval may face fines of no less than RMB 100,000 but no more than RMB 1,000,000; but if circumstances are more serious with core state data being mishandled or national sovereignty being endangered, a fine may be issued up to RMB 5,000,000 and their business or business license may be suspended or revoked.
We can expect that the enactment of the DSL would create more challenges for MNCs in China to comply with the inherently conflicting rules in different jurisdictions. MNCs in China may be under obligation to provide data requested by foreign justice and law enforcement even when doing so would violate the provisions of the DSL.
For instance, former U.S. president Donald Trump signed into the Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) in 2018, which enables U.S. law enforcement agencies to demand access to online information no matter what country the data is stored in, which could be in conflict with China’s DSL. We can imagine a scenario in which a U.S. law enforcement agency or court orders a U.S. company to provide materials located in China through its Chinese subsidiaries.
On the one hand, CLOUD Act gives U.S. law enforcement agencies extraterritorial power to access electronically-stored communications data located in China provided that the information sought is relevant and material to an ongoing criminal investigation. Failure to do so may result in negative consequences ranging from fines to adverse judgments.
On the other hand, acting as a blocking statute against such extraterritorial reach, the DSL would effectively block any such data export to U.S. law enforcement agencies in judicial proceedings, without prior Chinese government approval under an uncertain timeline. Thus, Chinese subsidiaries of these MNCs will be restricted from providing information overseas directly in response to a foreign law enforcement activity or a judicial proceeding.
◇Conclusion
The DSL has so far only set a broad framework for the governance of data, and the MNCs also need to wait for other corresponding regulations and implementation rules to understand how the DSL will be applied in practice.
However, the DSL will undoubtedly make it more difficult for MNCs, especially those with cross-border transfer of information and data, to adapt to the increasingly complicated regulatory environment and such MNCs have little time to prepare as the DSL is set to come into effect on September 1.
The DSL is an important piece of legislation that is worthy of continued attention of the MNC. We can expect to see more corresponding regulation in the future during enforcement to punish data security breaches and impose additional controls on data outflow of the MNCs. Still, questions regarding the implementation of the DSL remain to be seen, we anticipate that the DSL will be guided by China’s national strategies regarding national security and the digital economy and we will closely follow up and monitor the future legislative developments.
Please feel free to contact the author should you have any questions on the extraterritorial reach and cross-border effects of the DSL.
Note: This article is a free, periodical electronic publication edited by author and intended to provide non-exhaustive, general legal information. The article is not intended to be and should not be construed as providing legal advice and the author shall not be held responsible for any damages, direct, indirect or otherwise, arising from any use of the information in this article.
本文作者
孙坤铭
北京周泰律师事务所
顾问
邮箱:zt@zhoutailaw.com
孙坤铭顾问是法国艾克斯马赛大学商法硕士、中国人民大学法学院法学学士;拥有中国律师资格。执业方向为跨国并购、合资经营、项目融资和基础设施、竞争法以及一般公司事务等。
孙坤铭曾于法国基德国际律师事务所北京办公室担任法律顾问。参与了众多境外不同行业的世界领先公司在中国境内开展的直接投资和并购交易,熟悉该类投资项目不同阶段的各类法律问题,并协助外国公司在中国的子公司或代表机构处理日常公司事务。同时在国际仲裁方面也有为境内外客户提供通过仲裁解决跨境商事争议的相关经验。
此外孙坤铭顾问在中国竞争法领域也积累了丰富的专业知识,协助众多境外客户向国家市场监督管理总局反垄断局进行经营者集中申报,并为众多境内外大型企业就中国反垄断法项下的相关法律风险和合规问题提供法律咨询。
往期推荐
王兆峰:当我们谈论《数据安
全法》时,我们在谈论什么?
周泰观察 6月17日
《数据安全法》之数据使用
说明书
周泰观察 6月15日
千呼万唤始出来:《数据安
全法》亮点及重要制度解读
周泰观察 6月12日
文字 | 孙坤铭
图片 | Unsplash
本文系作者原创,转载请联系后台
欢迎关注周泰,欢迎点“赞”和“在看”